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Abstract. This paper is concerned with the form of typed name binding used by the 
FreshML family of languages. Its characteristic feature is that a name binding is repre- 
sented by an abstract (name,value)-pair that may only be deconstructed via the generation 
of fresh bound names. The paper proves a new result about what operations on names can 
co-exist with this construct. In FreshML the only observation one can make of names is 
to test whether or not they are equal. This restricted amount of observation was thought 
necessary to ensure that there is no observable difference between alpha-equivalent name 
binders. Yet from an algorithmic point of view it would be desirable to allow other oper- 
ations and relations on names, such as a total ordering. This paper shows that, contrary 
to expectations, one may add not just ordering, but almost any relation or numerical 
function on names without disturbing the fundamental correctness result about this form 
of typed name binding (that object-level alpha-equivalence precisely corresponds to con- 
textual equivalence at the programming meta- level), so long as one takes the state of 
dynamically created names into account. 



1. Introduction 

FreshML and the language systems that it has inspired provide some user-friendly 
facilities within the context of strongly typed functional programming for computing with 
syntactical data structures involving names and name binding. The underlying theory 
was presented in [PGOO, SPG03J and has been realised in the Fresh patch of Objective 
Caml [Shi05b]. FreshML has also inspired Pottier's Caml tool [Pot05j for Objective Caml 
and Cheney's FreshLib library [Chc05j for Haskell. The approach taken to binding in all 
these works is "nominal" in that the user is given access to the names of bound entities 
and can write syntax manipulating programs that follow the informal practice of referring 
to a-equivalence classes of terms via representatives. However, in FreshML the means of 
access to bound names is carefully controlled by the type system. It has been shown [Shi05a, 
SP05b] that its static and dynamic properties combine to guarantee a certain "correctness 
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type atm 

type a bnd 

val fresh : unit — > atm 

val bind : atm * a — > a bnd 

val unbind : a bnd — > atm * a 

val (=) : atm — > atm — > bool 

Figure 1: A signature for name binding. 

of representation" property: data structures representing a-equivalent syntactical terms 
(that is, ones differing only in the names of bound entities) always behave the same in any 
program. So even though programs can name names, as it were, a-equivalence of name 
bindings is taken care of automatically by the programming language design. 

Of course such a correctness of representation property depends rather delicately upon 
which operations on bound names are allowed. At the heart of this approach to binding 
is an operation that we call generative unbinding. To explain what it involves, consider a 
simplified version of Fresh Objective Caml with a single type atm of bindable names and 
a parametric family of types a bnd classifying abstractions of single names over values of 
type a. To explain: both atm and a bnd are abstract types that come with the signature 
of operations shown in Figure [TJ The closed values of type atm are drawn from a countably 
infinite set A of symbols that we call atoms. Programs only get access to atoms by evaluating 
the expression fresh() to get a fresh one; and hence program execution depends upon a state 
recording the atoms that have been created so far. Given a type r, closed values of type r bnd 
are called atom bindings and are given by pairs «a»v consisting of an atom a : atm and a 
closed value v : r. Atom bindings are constructed by evaluating bind(a,w). Fresh Objective 
Caml provides a very convenient form of generative pattern-matching for deconstructing 
atom bindings. To keep things simple, here we will avoid the use of pattern-matching and 
consider an equivalent mechanism for deconstructing atom binding via an unbind function 
carrying out generative unbinding: unbind «a»v evaluates by first evaluating freshQ to 
obtain a fresh atom a' and then returning the pair (a' , v{a'/a}), where in general v{a' /a} 
denotes the value obtained from v by renaming all occurrences of a to be a' . The instance 
of renaming that arises when evaluating unbind «a»v is special: the fresh atom a' does 
not occur in v and so v{a'/a} is equivalent to the result of applying to v the semantically 
better behaved operation of swapping a and a'. Although implementing such an atom 
swapping operation on all types of values is the main extension that the Fresh patch makes 
to Objective Caml, we have not included a swap : atm — > atm — > a — > a operation in the 
signature of Figure CD This is because it is possible for users to define atom swapping 
themselves for specific types on a case-by-case basis. Although this approach has some 
limitations, is enough for our purposes here. (The approach is more useful in the presence 
of Haskell-style type classes — see [Che05j .) 

The type a bnd is used in data type declarations in the argument type of value construc- 
tors representing binders. To take a familiar example, the terms of the untyped A-calculus 
(all terms, whether open or closed, with variables given by atoms a £ A) 

t ::= a I Xa.t I tt 
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can be represented by closed values of the type term given by the declaration 

type term = V of atm 

L of term bnd 

A of term * term . 

The value r t~ l : term representing a A-term t is defined by 



(1.1) 



A 



Va 

L «a» r t n 



r Aa.t n 



A 



(1.2) 



A 



A( r *r , r t 2 n ) 



and satisfies: 

Correctness of Representation: two X-terms are a-equivalent, t\ = a t2, 
iff r *i~ l an d r ^2 n are contextually equivalent closed values of type term, 
i.e. can be used interchangeably in any well-typed Fresh Objective Caml pro- 
gram without affecting the observable results of program execution. 
Since it is also the case that every closed value of type term is of the form r t~ l for some 
A-term t, it follows that there is a bijection between a-equivalence classes of A-terms and 
contextual equivalence classes of closed values of type term. The Correctness of Representa- 
tion property is not easy to prove because of the nature of contextual equivalence, with its 
quantification over all possible program contexts. It was established in [ShiOSaL ISP05b] us- 
ing denotational methods that take permutations of atoms into account. The same methods 
can be used to generalise from the example of A-terms to terms over any nominal signature 
in the sense of |UPG04] . 

Contribution of this paper. For the signature in Figure [TJ the only operation on atoms 
apart from bind is a test for equality: a = a' evaluates to true if a and a' are the same atom 
and to false otherwise. Adding extra operations and relations for atoms may well change 
which program phrases are contextually equivalent. Is it possible to have some relations 
or operations on atoms in addition to equality without invalidating the above Correctness 
of Representation property? For example it would be very useful to have a linear order 
(<) : atm — * atm — > bool, so that values of type atm could be used as keys in efficient data 
structures for finite maps and the like. We show that this is possible, and more. This is a 
rather unexpected result, for the following reason. 

The proof of the Correctness of Representation property given in [Shi05a, SP05b] relies 
upon equivariant properties of the semantics, in other words ones whose truth is invariant 
under permuting atoms. Atom equality is equivariant: since a permutation is in particular 
bijective, it preserves and reflects the value of a = a'. At first it seems that a linear order 
on atoms cannot be equivariant, since if a < a' is true, then applying the permutation 
swapping a and a' we get a' < a, which is false. However, equivariance is a global property: 
when considering invariance of the truth of a property under permutations, it is crucial to 
take into account all the parameters upon which the property depends. Here there is a 
hidden parameter: the current state of dynamically created atoms. So we should permute 
the atoms in this state as well as the arguments of the relation. We shall see that it is 
perfectly possible to have a state-dependent equivariant ordering for the type atm without 
invalidating the Correctness of Representation property. Indeed we prove that one can 
add any n-ary function from atm to numbers (or to booleans, for that matter) whose 
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semantics is reasonable (we explain what is reasonable in Section [3]) , without invalidating 
the Correctness of Representation property for any nominal signature. 

We have to work quite hard to get this result, which generalises the one announced in 
[SPG03J (with a flawed proof sketch) and finally proved in |SP05bl S hi05a| ; but whereas 
those works uses denotational techniques, here we use an arguably more direct approach 
based on the operational semantics of the language. We obtain the correctness result (Theo- 
rem !5.3p as a corollary of more general result (Propositions [5771 and 15 . 10|) showing that, up to 
contextual equivalence, the type r bnd behaves like the atom-abstraction construct of [GP01 , 
Sect. 5]. Along the way to these results we prove a Mason- Talcott-style "CIU" M 191 char- 
acterisation of contextual equivalence for our language (Theorem 14. 4p . This is proved using 
Howe's method [How96] applied to a formulation of the operational semantics with Felleisen- 
style evaluation contexts [FH92], via an abstract machine with frame stacks [P it02j . The 
proof technique underlying our work is rule-based induction, but with the novel twist that 
we exploit semantic properties of freshness of names that are based on the use of name 
permutations and that were introduced in |GP01| and developed in [Pit03|. IUN051 lPlt06j . 

2. Generative Unbinding 

We use a version of FreshML that provides the signature in Figure Q] in the presence 
of higher order recursively defined functions on user declared data structures. Its syntax is 
given in Figure [2j 

Variable binding. The syntax of expressions and frame stacks in Figure [2] involves some 
variable-binding constructs. Specifically: 

• free occurrences of / and x in e are bound in fun(/ x = e); 

• free occurrences of x in e are bound in let x = e' in e; 

• for i = l..n, free occurrences of Xi in are bound in match v with (C x\ — > e\ \ ■ ■ ■ \ 

C x n > en) j 

• free occurrences of x in e are bound in So (x.e). 

As usual, we identify expressions and frame stacks up to renaming of bound variables. We 
write fv(e) for the finite set of free variables of an expression e (and similarly for frame 
stacks); and we write 

e[v,... /x,...\ (2.1) 
for the simultaneous, capture avoiding substitution of values v, . . . for all free occurrences 
of the corresponding variables x, . . . in the expression e (well-defined up to a-equivalence of 
bound variables). 

Reduced form. The expressions in Figure [2] are given in a "reduced" form (also called 
"A- normal" form [FSDF93J), in which the order of evaluation is made explicit through 
let-expressions. This is not essential: the use of reduced form makes the development 
of properties of the language's dynamics more succinct and that is mostly what we are 
concerned with here. However, when giving example expressions it is convenient to use the 
"unreduced" forms given in Figure El 



GENERATIVE UNBINDING OF NAMES 



5 



Variables 
Atoms 
Data types 
Constructors 
Observations 

Values 



f,X€V 
a £ A 

S e V 
CeC 
obs e O 

v £ Val 
variable 
unit 
pair 

recursive function 
data construction 
atom 
atom binding 

Expressions e £ Exp 
value 
sequencing 
first projection 
second projection 
function application 
data deconstruction 
fresh atom 
generative unbinding 
atom observation 



countably infinite set (fixed) 
countably infinite set (fixed) 
finite set (variable) 
finite set (variable) 
finite set (variable) 

x 



(v,v) 

fun(/ x = e) 

Cv 

a 

«v»v 



let x = e in e 

fstv 

sndv 

v v 

match v with (C x 
fresh () 
unbind v 
obs v ■ ■ ■ v 



Frame stacks 



S £ Stk 
empty 
non-empty 



Id 

So(i.e) 

States a £ State = finite lists of distinct atoms 

Machine configurations (a, S, e) 

Types t £ Typ ::= 

unit unit 

pairs t * t 

functions r — > r 

data type 5 

atoms atm 

atom bindings r bnd 

Typing environments T £ V ^5 Typ 
Typing judgements 

expressions & values Their 

frame stacks T \- S : t ^ t' 



Initial basis 

natural numbers 
zero 
successor 
atom equality 



nat £ V 

(Zero : unit — > nat) G C 
(Succ : nat — > nat) £ C 
cq£0 (arity = 2) 



Figure 2: Language syntax. 
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(e, e') = let x = e in let x' = e' in (a;, x') 
Ax. e = fun(/ x = e) 

fc e = let a; = e in k x 
«e»e' = let x = e in let x' = e' in «x»x' 
ee = let x = e in let x' = e' in x x' 



(x £ fv(e'),x' ^ x) 

(fc = C, fst, snd) 
(x £ fv(e'),x' ^ x) 
(x i fv(e'),x' 7^ x) 
(x^fv(-..)) 
(x g fv(e") 



match e with (• • • ) = let x = e in match x with (• • • ) 
if e then e' else e" = match e with 



(Zero() ->e' | Succx^e") 

fresh x in e = let x = fresh () in e 

let «xi »X2 = e in e' = let x = e in 

let x' = unbind x in 
let xi = fst x' in 
let X2 = snd x' in e' 

obs e\ ■ ■ ■ e„ = let xi = e\ in 



(xi, ...,x n £ fv(ei, . . . , 
xi, . . . , x n distinct). 



(x, x' i fv(e') 

x' ^ X,Xl ^ x 2 ) 



e„) 



let ^77, 



e n in obsxi • • • x 



n 



Figure 3: Some "unreduced" forms of expression. 



Remark 2.1 (Object-level binding). As well as variables (standing for unknown values), 
the language's expressions and frame stacks may contain atoms drawn from a fixed, count- 
ably infinite set A. As discussed in the introduction, atoms are used to represent names 
in the object-level languages that are being represented as data in this programming meta- 
language. In particular a value of the form «a»v is used to represent the object-level binding 
of a name a in the value v. However, note that there are no atom-binding constructs at the 
programming meta-level. The reader (especially one used to using lambda-abstraction to 
represent all forms of statically-scoped binding) may well ask why? Why cannot we factor 
out by « »-bound atoms and thereby trivialise (one half of) the Correctness of Representa- 
tion result referred to in the Introduction? The reason is that it does not make semantic 
sense to try to regard «a»(— ) as a form of meta-level binding and identify all expressions up 
to an a-equivalence involving renaming « »-bound atoms. For example, if a and a' are two 
different atoms, such an a-equivalence would identify fun(/ x= «a»x) with fun(/ x= «a'»x). 
However, these are two semantically different values: they are not contextually equivalent 
in the sense discussed in Sectional For example, the operational semantics described below 
gives observably different results (0 and 1 respectively) when we place the two expressions 
in the context 



(where eq G O is the observation for atom-equality that we always assume is present — see 
Remark [3|). The reason for this behaviour is that variables in FreshML-like languages stand 
for unknown values that may well involve atoms free at the object level. We may get capture 
of such atoms within the scope of an atom-binding «a»(— ) during evaluation. In the exam- 
ple, we replaced the hole in [— ] a with fun(/x = «a»x) and fun(/x = «a'»x) respectively, 
yielding expressions that evaluate to «a»a and «a'»a — the first involving capture and the 
second not; and such capturing substitution does not respect naive a-equivalence. So the 



let «xi»X2 = [—] a in eqxi X2 
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r(x) = r r h «i : ri r h «2 : T2 r, / : r — > r , x : r h e : t 

T \- x : t Y h () : unit r h (v± , V2) t\ * t% Y h fun(/ a; = e) : r — > r 

C : r — > 5 rhu :t a G A T \- V\ : atm T b «2 : t 

rh Co : (5 rho: atm T h «Vi »u 2 : r bnd 

r h e : r r, a; : r h e : r r h t> : ri * T2 r h u : t\ * T2 Y h ?r : r — > r r h t>2 : t 
r h let x = e in e : r T h fst t> : ti T h snd t> : T2 r h t>i f 2 : t 

5 = Ci of n I • • • I G„ of r n r h v : 5 r, xi : n h ei : r • • • T, x„ : r„ h e„ : r 
r h match d with (Ci xi — > ei | • • • | C„ x„ — * e„) : r 

r h u : r bnd arity(obs) = k Y h «i : atm • • • fh^ : atm 



r h fresh() : atm T h unbinds : atm * r T h obsfi . . . Ufe : nat 

T, x : r h e : r' rhS:r'^/ 
r h Id : r ^ r ThS'o (x.e) : r — > r 

Notation: 

• r, x : r indicates the typing environment obtained by extending the finite partial function 
r by mapping a variable x to the type r (we always assume that x ^ dom(r)). 

• In the typing rule for match-expressions, the hypothesis "5 = C± of t\ \ ■ ■ ■ \ C n of r„" refers 
to the top-level data type declaration l|2.2[) : in other words, the only constructors whose 
result type is 6 are Ci, . . . , C„ and r% is the argument type of Ci (for i = l..n). 

Figure 4: Typing relation. 

relation of contextual equivalence that we define in Section H] does not contain this naive 
a-equivalence that identifies all (open or closed) expressions up to renaming of « » -bound 
atomsQ However, we will show (Theorem I5.3[) that when we restrict to closed expressions 
representing object-level languages, then contextual equivalence does contain (indeed, co- 
incides with) this form of a-equi valence: this is the correctness of representation result 
referred to in the Introduction. 



Data types and observations. The language defined in Figure [T] is parameterised by the 
choice of a finite set O of function symbols that we call observations on atoms and whose 
role is discussed in Section El by a finite set T> of data type symbols, and by a finite set C of 
constructor symbols. Each constructor C G C is assumed to come with a type, C : r — > 5, 
where r G Typ and 5 € T>. The choice of T>, C and this typing information constitutes an 

^Since the problematic possibly-capturing substitution is part of the dynamics of FreshML, there remains 
the possibility that the end results in the dynamics of expression evaluation can be made more abstract 
by identifying them up to renaming bound atoms: see Remark 12.51 There are also less naive versions 
of object-level a-equivalence that respect possibly-capturing substitution, such as the one developed in 
UPG04 involving hypothetical judgements about freshness of atoms for variables; contextual equivalence 
and "contextual freshness" should form a model of this notion, but we do not pursue this here. 
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ML-style top-level declaration of some (possibly mutually recursive) data types: 

type di = Ci,i of r lt i \ ■ ■ ■ \ Ci >ni of ri, m 

: (2.2) 

and 5 m = C m ,i of r m ,i | • • • | C mi „ m of 

Here <5j (for i = l..m) are the distinct elements of the set T> of data type symbols and 
Cij (for i = l..m and j = l..rtj) are the distinct elements of the set C of constructor 
symbols. The above declaration just records the typing information C : r — » 5 that comes 
with each constructor, grouped by result types: 5i appears as the result type of precisely 
the constructors Q x, • • • ; Q n- and their argument types are Tn, . . . , Tj nr For the moment 
we place no restriction on these types they can be any element of the set Typ whose 
grammar is given in Figure [2j However, when we consider representation of object-level 
languages up to a-equivalence in Section [5l we will restrict attention to top-level data type 
declarations where the types Tj do not involve function types. 

We consider observations on atoms that return natural numbers. (The effect of admit- 
ting some other types of operation on atoms is discussed in Section 16.21 ) So we assume 
T> always contains a distinguished data type nat for the type of natural numbers and that 
correspondingly C contains constructors Zero : unit — > nat and Succ : nat — > nat for zero and 
successor. Each obs 6 O denotes a numerical function on atoms. We assume it comes with 
an arity, specifying the number of arguments it takes: so if arity(obs) = k and (v±, . . . , v^j 
is a /c-tuple of values of type atm, then obs v\ . . . Vf. is an expression of type nat. The typing 
of the language's values, expressions and frame stacks takes place in the presence of typing 
environments, T, each assigning types to finitely many variables. The rules in Figured] for 
the inductively defined typing relation are entirely standard, given that we are following 
the signature in Fig [TJ 

As well as an arity, we assume that each obs E O comes with a specified interpretation: 
the form this takes is discussed in Section [3l 

Example 2.2 (Swapping atoms). Examples of programming in FreshML using its char- 
acteristic feature of generatively unbinding atom-binding values may be found in |SPG03t 
SP05a]. Another feature of FreshML, the operation of swapping atoms, has been left out of 
the grammar in Figure [2j However, as we mentioned in the introduction, there is a type- 
directed definition of swapping, swap T : atm — > atm ^r— >r, for this language. For example, 
when r is the type atm of atoms we can make use of the observation eq € O for atom- 
equality that we always assume is present (see Remark [3]) together with the abbreviations 
in Figure [3] and define 

swap atm = Xx.Xy.Xz. if eq z x then y else if eq z y then x else z. (2-3) 

At unit, product, function and atom-binding types we can make use of standard definitions 
of permutation action for these types of data (see [Pit06l Section 3], for example): 

swap unit = \x.\y.\z. z (2-4) 

swap T1 ^ T , = \x.\y.\z. (swap T1 x y (fst z), swap T2 x y (snd z)) (2-5) 

swap n ^ T2 = \x.\y.\z.\x\. swap T2 xy (z (swap T xyx\)) (2-6) 

swap Tbnd = Xx.Xy.Xz. letz = «z\»Z2 in «swap atm xy zi»(swap T xy Z2). (2-7) 

At data types we have to make recursive definitions corresponding to the inductive nature 
of the data types. For example, if we assume that in addition to the data type nat for 
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(a,S,e) — > (a',S',e') 

(1) (a, S o (x.e), u) — ► (a, 5, e[«/x]) 

(2) (a, S 1 , let x = ei in e2) — ► (a, 5 o (x.e2), ei) 

(3) (a, 5, match C u with (• ■ • | C x — > e | • ■ ■ )) — ► (a, S, e[v/x]) 

(4) (a, S, fet(ui , u 2 )) — ► (a, 5", f i) 

(5) (a, S , ,snd(wi , v 2 )) — >(a,S,v 2 ) 

(6) (a, S,vi v 2 ) — > (a,S,e[vx,v 2 / f,x\) if Vi = fun(/x = e) 

(7) (a, £?, fresh()) — ► (a © a', 5, a'} if a' ^ atom(a) 

(8) (a, S, unbind «a»«) — > (a © a', S, (a' , w{a'/ a})} if a' ^ atom(a) 

(9) (a, S, obs ai . . . cifc) — > (a, S, r m~ 1 ) if arity(obs) = k, (ai, . . . , a/c) € atom(a) fe and 
[obs]s(ai,...,ojfe) = to 

Notation: 

• v{a' /a) is the result of replacing all occurrences of an atom a by an atom a' in the value v; 

• atom(_) is the finite set of all atoms occurring in _ ; 

• a © a' is the state obtained by appending an atom a' not in atom(a) to the right of the finite 
list of distinct atoms a; 

• r m~ 1 is the the closed value of type nat corresponding to to € N: r CT = ZeroQ and r m+l n = 
Succ r m n ; 

• [obsj is the meaning of obs: see Section [3] 

Figure 5: Transition relation. 

natural numbers we just have a data type term as in (II, ip . then we can define 

swap nat = Ax.Ay.fun(/ z = match z with (ZeroQ — ► ZeroQ | Succzi — > Succ(/^i))) (2.8) 

swap term = Ax.Ay.fun(/ z = match z with (V z\ — * V(swap atm x y z\) (2-9) 

| ~Lzi — * let «Z2 »Z3 = z\ in 

L(«swap atm xy2:2»(/2:3)) 
|Az 1 ^A(/(fstz 1 ),/(sndzi)))). 

(The fact that values of type nat do not involve atoms means that the above systematic 
definition of swap nat is in fact contextually equivalent to Xx.Xy.Xz. z.) 

Operational semantics. The abstract machine that we use to define the language's dy- 
namics has configurations of the form (a, S, e). Here e is the expression to be evaluated, S is 
a stack of evaluation frames and a is a finite list of distinct atoms that have been allocated 
so far. Figure [5] defines the transition relation between configurations that we use to give 
the language's operational semantics. The first six types of transition are all quite stan- 
dard. Transition [7] defines the dynamic allocation of a fresh atom and transition [8] defines 
generative unbinding using a freshly created atom; we discuss transition [9] for observations 
on atoms in the next section. For the atom a 1 in [7] to really be fresh, we need to know that 
it does not occur in S; similarly, in [8] we need to know that a' does not occur in (S, a, v). 
These requirements are met if configurations (a, S, e) satisfy that all the atoms occurring 
in the frame stack S or the expression e occur in the list a. Using the notation atom(— ) 
mentioned in Figured! we write this condition as 

atom(S, e) C atom(a). (2-10) 
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Theorem 12.41 shows that this property of configurations is invariant under transitions, as is 
well-typedness. Before stating this theorem we introduce some useful terminology. 

Definition 2.3 (Worlds). A (possible) world w is just a finite subset of the the fixed set 
A of atoms. We write World for the set of all worlds. 

In what follows we will index various relations associated with the language we are 
considering by worlds w € World that make explicit the atoms involved in the relation. 
Sometimes (as in the following theorem) this is merely a matter of notational convenience; 
world-indexing will be more crucial when we consider program equivalence: see Remark 14.71 
below. 

Theorem 2.4 (Type Safety). Write \- w (a, S,e) : r to mean that atom(5, e) C atom(a) = 
w and that there is some type r' with flh5:r'^r and h e : r' . The type system has the 
following properties. 

Preservation: if h w (a,S,e) : r and {a,S,e) — ► (a',S',e'), with atom(a') = w' say, 

then w C w' and \- w i (a', S' , e') : r. 
Progress: if \- w (a, S, e) : r, then either S = Id and e £ Val, or (a, S, e) — > (a 1 , S', e') 

holds for some a! , S' and e' . 

Proof. The proof of these properties is routine and is omitted. □ 

Remark 2.5 (Alternative operational semantics). It is worth remarking that there 
are alternative approaches to representing object-level binding of a name a in a value v 
in FreshML-like languages. In the original paper on FreshML [PG00], the authors make 
a distinction between non-canonical expressions a.v for atom-binding and the "semantic 
values" abs(a, val) to which they evaluate. That paper gives an operational semantics in 
the style of the Definition of Standard ML [MTHM97J in which programming language ex- 
pressions are separate from semantic values. It is possible to identify such semantic values 
up to a-equivalence of abs(a, — )-bound atoms without the kind of inconsistency illustrated 
in Remark 12.11 (Such semantic values in which abs(a, — ) is a binder are used by Pot- 
tier [Pot07| . albeit for first-order values.) However, this does not help to simplify the type 
of Correctness of Representation result in which we are interested here, because programs 
are written using expressions, not semantic values. For example, identifying semantic values 
in this way, abs(a,a) and abs(a',a') are identical and hence trivially contextually equiva- 
lent; however the expressions a. a and a' .a' (that here we write as «a»a and «a'»a') are not 
equal and there is something to be done to prove that they are contextually equivalent. 
In the operational semantics of [PGOQ] these expressions evaluate to the same semantic 
value up to a-equivalence; so one would need to prove that contextual equivalence for that 
language contains "Kleene equivalence" — for example by proving a "CIU" theorem like our 
Theorem 14.41 below. So it is probably possible to develop the results of this paper using 
this slightly more abstract style of operational semantics with semantic values identified up 
to a-equivalence of bound atoms. However our experience is that the style of operational 
semantics we use here, in which semantic values are identified with certain canonical ex- 
pressions (but necessarily not identified up a-equivalence of bound atoms, for the reasons 
discussed in Remark 12. ip leads to a simpler technical development overall. 
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(a, S,e)i n 



(a, S, e)l 



(a, Id, v)io 



(a,S,e) — > (S',S',e') @,S',e')l n 
(a, S, e)l n+1 

Figure 6: Termination relations. 



(a, S,e)j n 
(a,S,e)i 



3. Observations on Atoms 

The language we are considering is parameterised by a choice of a finite set O of 
numerical functions on atoms. We assume that each obs G O comes with a specified 
meaning [obs]. As mentioned in the introduction, we should allow these meanings to be 
dependent on the current state (the list of distinct atoms that have been created so far). 
So if arity(obs) = k, for each a G State we assume given a function [obsjg : atom(a) fc — > N 
mapping /c-tuples of atoms occurring in the state a to natural numbers. These functions 
are used in the transitions of type [9] in Figure Not every such family ([[obsjg I a G 
State) of functions is acceptable as an observation on atoms: we require that the family be 
equivariant. To explain what this means we need the following definition. 

Definition 3.1 (Permutations). A finite permutation of atoms is a bijection tt from the 
set A of atoms onto itself such that supp(7r) = {a G A | vr(a) ^ a} is a finite set. We write 
P for the set of all such permutations. If tt G ¥ and a £ State, then tt ■ a denotes the finite 
list of distinct atoms obtained by mapping tt over the list a; if e is an expression, then tt ■ e 
denotes the expression obtained from it by applying tt to the atoms in e; and similarly for 
other syntactical structures involving finitely many atoms, such as values and frame stacks. 

We require the functions (Jobs] 5 | a G State) associated with each obs G O to satisfy 
an equivariance property: for all tt G P, a G State and (a\, . . . , au) G atom(a) fc (where k is 
the arity of obs) 

[obs] s (ai,...,eifc) = |obs] 7r . s (7r(ai), . . . ,7r(afe)) . (3.1) 
We impose condition (|3.ip for the following reason. In Figure O the side conditions on 
transitions of types [7] and [8] do not specify which of the infinitely many atoms in A — atom(a) 
should be chosen as the fresh atom a'. Any particular implementation of the language will 
make such choices in some specific way, for example by implementing atoms as numbers 
and incrementing a global counter to get the next fresh atom. We wish to work at a 
level of abstraction that is independent of such implementation details. We can do so by 
ensuring that we only use properties of machine configurations (a, S, e) that depend on the 
relative positions of atoms in the list a, rather than upon their identities. So properties of 
configurations should be equivariant: if (a, S, e) has the property, then so should (ir ■ a, ir ■ 
S, tt ■ e) for any tt G P. The main property of configurations we need is termination, defined 
in Figure EJ since as we see in the next section this determines contextual equivalence of 
expressions. With condition (13. ip we have: 

Lemma 3.2. If (a, 5, e)[ n , then {it ■ a, tt ■ S, tt ■ e){ n for any tt G P. 

Proof. In view of the definition of termination in Figure El it suffices to show that the 
transition relation is equivariant: 

(a, 5, e) — ► (af, S', e) (tt ■ a, tt ■ S, tt ■ e) — ► (tt ■ a, tt ■ S' , tt ■ e') . 
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Equality, eq (arity = 2): 

fo ifa = a', 
[ 1 otherwise. 

Linear order, It (arity = 2): 

JO if a occurs to the left of a' in the list 
I 1 otherwise. 



Ordinal, ord (arity = 1): 
[ordjg(a) = n, if a is the nth element of the list a. 

State size, card (arity = 0): 
|card]a() = length of the list a. 

Figure 7: Examples of observations on atoms. 

This can be proved by cases from the definition of — ► in Fig [5j Cases HHS follow from 
general properties of the action of permutations on syntactical structures (such as the fact 
that 7r ■ (e[v/x\) equals (ir ■ e)[ir ■ v/x]); case [9] uses property (I3.ip . □ 

As a corollary we find that termination is indeed independent of the choice of fresh 
atom in transitions of the form [7] or 

Corollary 3.3. // (a, S, fresh) with atom(S') C atom(a), then for alia' £ atom(a), it 
is the case that (a © a', S, a')l n . Similarly, if (a, S, unbind «a»v)l n+ i with &tom(S,a,v) C 
atom(a), then for all a' ^ atom(a), it is the case that (a© a', S, (a' , v{a' /a}))[ n . □ 

There are observations on atoms that are not equivariant, that is, whose value on some 
atoms in a particular state does not depend just upon the relative position of those atoms 
in the state. For example, if we fix some enumeration of the set of atoms, a : N = A, it 
is easy to see that the unary observation given by [obsj^a) = a -1 (a) fails to satisfy (|3.ip . 
Nevertheless, there is a wide range of functions that do have this property. Figure [7] gives 
some examples. 

Remark 3.4 (Atom- equality test). The first observation on atoms given in Figure [71 
eq, combined with the usual arithmetic operations for nat that are already definable in the 
language, gives us the effect of the function (=) : atm — > atm — > bool from the signature in 
Figure [TJ so we assume that the set O of observations on atoms always contains eq. 

Remark 3.5 (Fresh Atoms Largest). Note that in the operational semantics of Figured] 
we have chosen to make "fresh atoms largest", in the sense that the fresh atom a' in 
transitions [7J and [8] is added to the right-hand end of the list a representing the current 
state. In the presence of observations on atoms other than equality, such a choice may 
well affect the properties of the notion of program equivalence that we explore in the next 
section. Other choices are possible, but to insist that program equivalence is independent 
of any such choice would rule out many useful observations on atoms (such as It or ord in 
Figure Ej). 
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4. Contextual Equivalence 

We wish to prove that the language we have described satisfies Correctness of Rep- 
resentation properties of the kind mentioned in the introduction. To do so, we first have 
to be more precise about what it means for two expressions to be contextually equivalent, 
that is, to be interchangeable in any program without affecting the observable results of 
executing that program. What is a program, what does it mean to execute it, and what 
results of execution do we observe? The answers we take to these questions are: programs 
are closed well-typed expressions; execution means carrying out a sequence of transitions of 
the abstract machine from an initial machine configuration consisting of a state (that is, a 
list of atoms containing those mentioned in the program), the empty frame stack and the 
program; and we observe whether execution reaches a terminal configuration, that is, one 
of the form (a, Id, v). We need only observe termination because of the language's strict 
evaluation strategy: observing any (reasonable) properties of the final value v results in 
the same notion of contextual equivalence. Also, it is technically convenient to be a bit 
more liberal about what constitutes an initial configuration by allowing the starting frame 
stack to be non-empty: this does not change the notion of contextual equivalence because 
of the correspondence between frame stacks and "evaluation" contexts — see the remarks 
after Definition 14.51 below. So we can say that e and e' are contextually equivalent if for 
all program contexts C[— ], the programs C[e] and C[e'] are operationally equivalent in the 
following sense. 

Definition 4.1 (Operational Equivalence of Closed Expressions). h w e = e' : r is 

defined to hold if 

• atom(e, e') C w; 

• h e : r and h e' : r; and 

• for all a, S and r' with w U atom(S') C atom(a) and h S : r — > r', it is the case 
that {a,S,e)i O (a,5,e')|. 

However, for the reasons given in [Pit05, Section 7.5], we prefer not to phrase the formal 
definition of contextual equivalence in terms of the inconveniently concrete operation of 
possibly capturing substitution of open expressions for the hole "— " in program contexts 
C[— ]. Instead we take the more abstract relational approach originally advocated by Gordon 
[Gor98] and Lassen [Las98] that focuses upon the key features of contextual equivalence, 
namely that it is the largest congruence relation for well-typed expressions that contains the 
relation of operational equivalence of Definition ^. l\ A congruence relation is an expression 
relation that is an equivalence, compatible and substitutive, in the following sense. 

Definition 4.2 (Expression Relations). An expression relation £ is a set of tuples 
(r, w, e, e', r) (made up of a typing context, a world, two expressions and a type) satis- 
fying atom(e, e') C w, T h e : r and r h e' : r. We write r \- w e £ e' : r to indicate 
that (T,w,e,e',r) is a member of £. We use the following terminology in connection with 
expression relations. 

• £ is an equivalence if it is reflexive (atom(e) C w A rhe:r =>■ T \- w e £ e : t), 
symmetric (T \- w e £ e' : t => T \- w e' £ e : t) and transitive (T \- w e £ e' : 
t A r \- w e' £ e" : r T \- w e £ e" : r). 

• £ is compatible if £ C £ , where £ is the compatible refinement of £, defined in 
Figure 
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r(x) — t r \- w v\ £ v[ ■. ti r h w v 2 £ v' 2 : t 2 



r \- w x £ x : t r \- w () £ () : unit T h w (i>i , u 2 ) £ («i , 4) : T i * T 2 

r,/:T-^T',i:rUeJe':T' C : r — > (5 r h w v £ v' : r a 6 w 



r h M fun(/ x = e) £ fun(/ a; = e) : r — > r T \- w Cv £ Cv' : 5 T \- w a £ a : atm 

r \- w vi £ v[ : atm T \- w v 2 £ v' 2 : t T \- w e\ £ e\ : r T,x : t \- w e 2 £ e' 2 : r' 

r h„, «ui»«2 £ «v 1 »v 2 ■ t bnd T let x = e\ in e 2 £ let x — e[ in e' 2 : r' 

r w £ v' : T\ * t 2 r \- w v £ v : t% * t 2 T \- w v\ £ v[ : r — > r r h M v 2 £ w 2 : r 



T hu, fst v £ fst v' : Ti r h w snd w £ snd v' : t 2 T \- w «i v 2 £ v[ v' 2 : t' 

S = Ci of n I • • • I C n of t„ 
r Ku u £ ?/ : £ r, x% : n K, ei £ e[ : r ■ ■ ■ T, x n : r„ \- w e„ £ e' n : r 

r h w match v with (Ci xi — > e\ \ ■ ■ ■ | C„ x n — > e ra ) £ match w' with (Ci X\ — »■ | • • • | C„ x n — » e' n ) : r 

r h,„ v £ v 1 : t bnd 



r h tt fresh() £ fresh() : atm T h u , unbind v £ unbind v : atm * r 

arity(obs) = k T h M v\ £ v[ : atm • ■ • T \- w Vk £ v k : atm 
r \- w obs «i . . . Vk £ obs • ■ ■ v' k : nat 

T,x:T^ w e£ e' :t' T \- w S £ S' it' -> r" 



r h ro Id £ Id : r r r h w 5 o (x.e) £ S' o (x.e') : t r" 

Figure 8: Compatible refinement £ of an expression relation £. 

• £ is substitutive if T h w v £ v' : t A r, x : r e £ e' : r' =^> T \- w e[v/x] £ 
e'[v'/x] :t'. 

• £ is equivariant iiT \- w e £ e' : t =^ V \- w - w ir ■ e £ tt ■ e' : r. 

• £ is adequate if h„, e £ e' : r =^ h ffl e = e' : t. 

We extend operational equivalence (Definition 14. ip to an expression relation, T \- w e =° 
e' : t, by instantiating free variables with closed values: 

Definition 4.3 (=°). Supposing T = {x\ : T\, . . . ,x n : r n }, we define r \- w e =° e' : r to 
hold if 

• atom(e, e') C 

• r b e : r and T b e' : t; and 

• for all w' ^> w and all closed values V{ with atom(fj) C and b : Tj (for 
z = it is the case that \- w > e[v/x] = e'[v/x] : r. 

Note that for closed expressions, that is, in the case that T = 0, the relation =° agrees with 

\- w e ^° e' : r 44> h w e^e':r. (4.1) 
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Theorem 4.4 (CIU). Operational equivalence of possibly open expressions, 
patible, substitutive and adequate equivalence. It is the largest such expression relation. It 
is also equivariant. 

Proof. The fact that =° is equivariant follows from Lemma 13.21 The fact that it is an 
equivalence and adequate is immediate from its definition; as is the fact that it contains 
any expression relation that is adequate, substitutive and reflexive. So the main difficulty is 
to show that it is compatible and substitutive. One can do this by adapting a construction 
due to Howe [How96j ; see Appendix [S] □ 

Definition 4.5 (Contextual Equivalence). In view of the discussion at the beginning of 
this section, Theorem 14.41 tells us that =° coincides with a conventional notion of contextual 
equivalence defined using program contexts: so from now on we refer to =° as contextual 
equivalence. 

Remark 4.6 (Uses of closed instantiations). We labelled the above theorem "CIU" 
because it is analogous to a theorem of that name due to Mason and Talcott |MT91j . CIU, 
after permutation, stands for "Uses of Closed Instantiations"; and the theorem tells us 
that to test open expressions for contextual equivalence it suffices to first close them by 
substituting closed values for free variables and then test the resulting closed expressions 
for termination when they are used in any evaluation context [FH92J. This follows from 
the definition of =° and the fact that termination in evaluation contexts corresponds to 
termination of machine configurations via the easily verified property 

(S,S,e)i e> (S,Id,S[e])i (4.2) 

where the expression S[e] is defined by recursion on the length of the stack S by: 

Id N = e 
So(x.e')[e] = 5 [let x = e in ef] . 

Theorem 14.41 serves to establish some basic properties of contextual equivalence, such 
as the fact that the state-independent transitions in Figure [5] (types HH6] and [9]) give rise to 
contextual equivalences. For example, r \- w let x = v in e =° e[v/x] : r' holds if T \- w v : r 
and r, x : r \- w e : r' . However, we have to work a bit harder to understand the consequences 
of transitions of types [7] and [8] for contextual equivalence at atom binding types, r bnd. We 
address this in the next section. 

Remark 4.7 (Possible Worlds). It is immediate from the definition of =° that it satisfies 
a weakening property: 

Fh w e^° e' :t A wQw' F \- w i e =° e' : t . (4.4) 

If it also satisfied a strengthening property 

r \~ w > 6 — e' : t A atom(e, e'jCuCti/ =>■ F \- w e =° e' : t (4.5) 

then we could make the indexing of contextual equivalence by "possible worlds" w implicit 
by taking w = atom(e, e'). When O just contains eq, property (|4.5H does hold; this is why 
there is no need for indexing by possible worlds in [Shi05a, SP05b]. However, it is not 
hard to see that the presence of some observations on atoms, such as the function card in 
Figure [3, can cause (14.51) to fail. It is for this reason that we have built indexing by possible 
worlds into expression relations (Definition 14. 2p . 
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Ku vi =a v'i '■ a\ v 2 = a v' 2 : <J2 C : a — > (5 h w v = Q u' : cr 



\~w () = Q () : unit ho («i j "a) =a (v[ , Ua) : °"i * cr 2 H w C« = Ct)' : J 

a 6 w a" £ w D atom(a, v, a', v') \~wu{a"} v{a"/a} = a v'{a"/a'} : a 

\- w a = a a : atm \- w «a»v = a «a »V : crbnd 

Figure 9: a-Equivalence. 

5. Correctness of Representation 

Recall from Section [2] that the language we are considering is parameterised by a top- 
level declaration of some (possibly mutually recursive) data types: 

type 6i = Ci,i of ti,! | ••• | Gi,m of n >ni 

■. (5-1) 
and 5 m — Cm,l of 7Vn,l | * " * | C mjrim of T m )Tlm . 

If we restrict attention to declarations in which the argument types Tij of the constructors 
Cjj are just finite products of the declared data types 5%. . . , 5 m , then the above declaration 
corresponds to a many-sorted algebraic signature; furthermore, in this case the language's 
values at each data type are just the abstract syntax trees of terms of the corresponding 
sort in the signature. By allowing atoms and atom bindings in addition to products in the 
argument types Tij, one arrives at the notion of "nominal signature" , introduced in [UPG04] 
and more fully developed in [Pit06j . It extends the notion of many-sorted algebraic signature 
with names (of possibly many kinds) and information about name binding in constructors. 
Here, for simplicity, we are restricting to a single kind of name, represented by the type 
atm of atoms; but our results extend easily to the case of many kinds of name. 

Definition 5.1 (Nominal Signatures). The subset Arity C Typ is given by the grammar 

cr E Arity ::= unit | a * a \ 5 \ atm | crbnd (5-2) 

where 5 ranges over the finite set T> of data type symbols. (In other words Arity consists of 
those types of our language that do not involve any use of the function type construction, 
— >.) The elements of the set Arity are called nominal arities. (The notation ((atm)) a is used 
in |UPG044 [Pit06j for what we here write as crbnd.) A nominal signature with a single sort 
of atoms, atm, is specified by a data type declaration (|5.ip in which the argument types T% t j 
of the constructors Cj,j are all nominal arities. 

The occurrences of crbnd in a nominal signature (|5.ip indicate arguments with bound 
atoms. In particular, we can associate with each such signature a notion of a -equivalence, 
= a , that identifies closed values of nominal arity up to renaming bound atoms. The induc- 
tive definition of = a is given in Figure [9J It generalises to an arbitrary nominal signature the 
syntax-directed characterisation of a-equivalence of A-terms given in |Gun92} p. 36]. The 
definition in Figure [9] is essentially that given in [PitOo] , except that we have included an 
indexing by possible worlds w, to chime with our form of judgement for contextual equiv- 
alence; without that indexing, the condition "a" ^ w 5 &tom(a,v,a' ,v')" in the rule for 
a-equivalence of values of atom binding type would be replaced by "a" ^ atom(a, v, a' , v')" . 

Remark 5.2 (The role of closed values). For each cr £ Arity, the closed values (that 
is, ones with no free variables) of that type, %\~ w v : cr, correspond precisely to the ground 
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terms (with arity a and atoms in w) over the given nominal signature, as defined in [UPG04] . 
For example, the declaration (jl.ip corresponds to the nominal signature for A-calculus; and 
closed values of type term correspond as in (jl.2p to the abstract syntax trees for A-terms — 
open or closed ones, with A-calculus variables represented by atoms. For other examples of 
nominal signatures, with more complicated patterns of binding, see |Pit06, Section 2.2]. 

Note that the definition of = a in Figure [9] cannot be extended naively to open val- 
ues with free variables, for the reasons discussed in Remark 12. 11 Free variables stand for 
unknown values that may well involve atoms that get captured by « » -binders upon substi- 
tution. So as we saw in that remark, it does not make semantic sense to say, for example, 
that «a»x and «a»x are a-equivalent without putting some restrictions on the kind of value 
x stands for. In [UPG04], Urban et al consider such restrictions consisting of assumptions 
about the freshness of atoms for variables; they generalise Figure [9] to a hypothetical no- 
tion of a-equivalence between open valuesj, with hypotheses consisting of such freshness 
assumptions. It may be possible to relate the validity of this general form of a-equivalence 
to contextual equivalence, but here we content ourselves with the following result about the 
straightforward notion of a-equivalence on closed values given by Figure M 

Theorem 5.3 (Correctness of Representation). Suppose that all the observations on 
atoms obs in O satisfy the equivariance property (|3.ip . For each nominal signature, two 
closed values v,v' of the same nominal arity a (with atoms contained in the finite set w, 
say) are a-equivalent if and only if they are contextually equivalent: 

\~w v = a v ' : a 44> \- w v = v : a . (5-3) 

The rest of this section is devoted to the proof of the bi-implication in (|5.3p . Before 
commencing the proof we make some remarks about the relative difficulty of each half of 
the bi-implication and about alternative approaches to the proof than the one we take. 

Remark 5.4 (\~ w v = a v' : a => \- w v = v' : a). At first sight it might seem that this 
implication is trivial: since we identify expressions up to a-equivalence of bound variables, 
contextual equivalence automatically contains that notion of equivalence. However, = a 
is not that meta-level a-equivalence, it is a-equivalence at the object-level for « »-bound 
atoms. As we noted in Remark 12.11 identifying all (open or closed) expressions up to 
renaming « »-bound atoms is incompatible with contextual equivalence: so we cannot 
trivialise the left-to-right implication in (|5.3p by factoring out in this way. Note that the 
restriction to nominal arities in Figure [9] means that we do not have to consider = a for 
values of the form fun(/ x = e) and hence for open expressions e where the naive definition 
of = a would encounter the semantic problems discussed in Remarks 12.11 and 15.21 

So there really is something to do to establish the left-to-right implication in (|5.3p . 
However, we will see that we have already done most of the heavy lifting for this half of the 
theorem by establishing the CIU Theorem I4.4L 

Remark 5.5 ( \- w v = v' : a => V w v = a v' : a). This is equivalent to showing 
that if two closed values v and v' of nominal arity a are not a-equivalent, then they are 
not contextually equivalent. Proving contextual inequivalence is much easier than proving 
contextual equivalence, since one just has to construct a context in which the two values have 
different operational behaviour. In this case it would suffice to exhibit a closed expression 
aeq CT : a — > a — > nat correctly implementing = a , in the sense that for all v and v' 



This is a slight over-simplification, since their "nominal terms" are not just the open values considered 
here: they involved explicit atom-permutations as well. 
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\~w v = a v' : a yd. w C atom(a) => 3a'. {a,ld,aeq a vv') — >* (a', Id, Zero()) 

\~w v u : a Va. to C atom(a) => 3a. (a, Id, aieq^v v ) — >* (a, Id, Succ(Zero())}. 

It is indeed possible to construct such an expression aeq CT by induction on the structure of a, 
by a definition that mimics the rules in Figure [U using the definition of atom-swapping from 
Example 12.21 in the case of an atom-binding arity and using recursively defined functions 
at data types. The proof of the above properties of aeq CT is relatively straightforward if 
tedious; one first has to prove suitable correctness properties for the swapping expressions 
swap CT from Example 12.21 

This is not the route to the right-to-left implication in (|5.3p that we take. Instead 
we deduce it from a general "extensionality" property of atom-binding types rbind that 
holds for all types r, including ones that are not nominal arities, that is, ones involving 
function types. This property (Propositions 15.71 and I5.10|) shows that, up to contextual 
equivalence, the type rbnd behaves like the atom-abstraction construct of [GPOH Sect. 5]. 
It seems interesting in its own right. We are able to prove this property of general atom- 
binding types r bind only under a restriction on observations on atoms over and above the 
equivariance property (13. ID that we always assume they possess. This is the "affineness" 
property given in Definition 15.81 below. The equality test eq (Figure [7]) is affine and we will 
see that this fact is enough to prove Theorem 15.31 as stated, that is, without any restriction 
on the observations present other than equivariance. 

We now begin the proof of Theorem 15.31 

Proposition 5.6. 

(i) \- w () = (): unit. 

(ii) For all types n, r 2 G Typ, \- w (vi , v 2 ) = (v[ , v' 2 ) : r\ * r 2 iff \~ w V\ = v[ : t\ and 
Ko v 2 = v' 2 : t 2 . 

(iii) For each data type 5i in the declaration (|5.1|) . \- w Cy v = Cj^/ v' : Si iff j = j' and 
\- w v = v': n t j . 

(iv) \- w a = a' : atm iff a = a' € w. 

Proof. Part (i) and the "if" directions of (ii)-(iv) are consequences of the fact (Theorem l4.4p 
that =° is a compatible equivalence. For the "only if" directions of (ii) and (iii) we apply 
suitably chosen destructors. Thus for part (ii) we use the operational equivalences \~ w 
fst(vi , v 2 ) = v\ : t\ and \- w snd(«i , v 2 ) = v 2 : t 2 that are consequences of the definitions 
of = and the termination relation. Similarly, part (iii) follows from the easily established 
operational (in)equivalences 

\- w diverge ^ v : r 

\- w projjj (Cij v)^v: nj 

projj j (Cjj' v) = diverge : Tij if j ^ j' 

which make use of the following expressions 

diverge = fun(/ x = f x) Q 

projjj v = match v with (C i}1 xx -> d jt i \ ■■■ \ C ijTli x Hi -> dj m ) 
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where 



d 



if j = f, 
diverge if j ^ f . 



Finally, for the "only if" direction of part (iv) we make use of the fact that O always contains 
the atom equality function eq from Figure [7J see Lemma IA.4f i) in Appendix [A] □ 

This proposition tells us that = has properties mirroring those of a-equivalence given 
by the first four rules in Figure EE To complete the proof of the correctness theorem, we 
need to prove a property of = at atom binding arities a bnd that mirrors the fifth rule in 
that figure. We split this into two parts, Propositions 15.7 1 and 15.101 

Proposition 5.7. For any type r E Typ, suppose we are given closed, well-typed atom 
binding values \- w «a»v : rbnd and \- w «a'»v' : rbnd. If for some atom a" ^ w we have 

^u{«"} v{a"/a} = v'{a"/a'} : r (5.4) 

then 

\- w «a»v = «a'»v' : rbnd . (5.5) 

Proof. Unlike the previous proposition, this result is not just a simple consequence of the 
congruence properties of operational equivalence. It can be proved via an induction over 
the rules defining termination: see Appendix [Bj □ 

Next we need to prove the converse of the above proposition, namely that (|5.5p implies 
(|5.4p for any a" ^ w. The difficulty is that in verifying (|5.4p we have to consider the 
termination behaviour of v{a" /a} and v'{a" /a'} in all states a with atom(a) 3iuU W}. 
The atom a" may occur at any position in a and not necessarily at its right-hand end; 
whereas in assuming ()5.5j) . all we appear to know about the termination behaviour of 
v{a" /a} and v'{a" /a'} is what happens when a fresh atom a" is placed at the end of the 
state via generative unbinding (cf. Remark I3.5[) . In fact we are able to combine bind and 
unbind operations to rearrange atoms sufficiently to prove the result we want, but only 
in the presence of observations on atoms that are insensitive to atoms being added at the 
left-hand (that is, least) end of the state. The following definition makes this property of 
observations precise. It uses the notation a' © a for the state obtained from a E State by 
appending an atom a' not in atom(a) to the left of the finite list of distinct atoms a (cf. a©a' 
defined in Figure [5]) . 

Definition 5.8 (AfRne Observations). An observation on atoms, obs E O, is affine if it 
is equivariant (|3.ip and satisfies: for all a E State, all a' ^ atom(a) and all (a±, . . . ,ak) E 
atom(a) fc (where k is the arity of obs) 

[obs] /@ ff (ai, ...,a k ) = [obs] 5 (ai, . . . , a k ) . (5.6) 

For example, of the observations defined in Figure [71 eq and It are affine, whereas ord and 
card are not. 

The following property of termination follows from its definition in Figures [5] and [H 
using Corollary | 



Lemma 5.9. Given a frame stack S and an expression e, suppose that only affine ob- 
servations on atoms occur in them. Then for all a with atom(5, e) C atom(a) and all 
a' £ atom(a), (a © a, S, e)J. n 44> (a, S, e)[ n . □ 
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We now give a converse of Proposition 15.71 under the assumption that only affine 
observations are used. The proof is the technically most involved result in the paper. 

Proposition 5.10. Suppose that O only contains affine observations. For any type r G 
Typ, suppose we are given closed, well-typed atom binding values \- w «a»v : rbnd and 
\~ w «a'»v' : rbnd. Then for all atoms a" ^ w we have 

\- w «a»v = «a'»v' : rbnd (5.7) 

implies 

^u{a"} v{a"/a} v'{a"/a'} : r . (5.8) 

Proof. Suppose (|5.7j) holds and that a" ^ w. To prove (j5.8|) we have to show for any 
w' G World, a G State and r' G Typ with atom(a) = u>' D to U {a"} and \- w i S : r — > r' 
that 

(2,5,i;{o7o}>1 O (a,5,u'{a"/a'}>4 . (5.9) 
Since a" G atom(a), we have 

a = a' © a" © a © • • • © a n _i (5.10) 

for some state a! and atoms ao, . . . , a n _i (n > 0). Choose distinct atoms 6o, . . . , 6 n _i not 
occurring in w' and consider the frame stack 

S' = Id o [z, let «x»yo = z in 

let «xo»2/i = «bo»yo in 

: (5-11) 

let «x n _i»y n = «6 n ,_ 1 »y n _i in 
5{x,x ,. • • ,x n __i/a",a . . . ,a n -i}[y n ]) 

where z, x, xq, . . . , x n -\, yo, . . . , y n are distinct variables not occurring in S. Here we have 
used the notation "let «xi»X2 = e in e'" from Figure El the notation "S[e]" from (]4.3p and 
the operation (— ){x/a} of replacing an atom a by a variable x. 

Since atom(5) C w' = atom(a), by definition of S' and from ()5.10p we have atom(5") C 
atom (6') where 

b' = b ©---© K-l © a' . (5.12) 
Let 7r G P be the permutation swapping each a% with 6j (for i = 0..n — 1). Since a" £ w 5 
atom(a, f), by definition of b' we have atom(7r • «a»v) C atom(6'). Therefore the configura- 
tion (b',S',ir ■ «a»v) satisfies the well-formedness condition needed to apply Corollary 13.31 
Noting that ir ■ («a»v) = «7r(a)»(7r • v) and that 7r • (v{a"/a}) = (tt ■ v){7r(a")/ir(a)} = 
(it ■ v){a" /ir(a)}, from that corollary, property f|4.2j) and the definition of S' we get: 

(?,5',7r.(«o»i;)H ^ 

(b' © a" © a © • • • © a n -i,S, (vr • (u{a"/a})){ao, • • • , a„_i/6 , • • • , &n-i»J. • 
Note that by definition of n 

(tt ■ (v{a" /a})){a , a n _i/6 , • • • , &n-l} 
= ((^{a'7 a }){^0, • • • ,b n -i/a , ■ ■ ■ ,a n _i}){a 0) . • • ,a n _i/6 , • • • ,&n-i} 
= v{a"/a} ; 
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and b' © a" © a © • • • © a n -i = h © • • • © 6 n -i © a by (|5.10|) and (|5.12p . So altogether we 
have 

(b',S',TT- «a»v)i & {b ©---©b n - 1 ©a,S,v{a"/a})i . (5.13) 
A similar argument gives 

(b',S',TT- «a»v')l o (6 ©■•• 5, i/{a"/a'}) I . (5.14) 

We noted in Theorem 14.41 that operational equivalence is equivariant. So from (|5.7p we have 
'~atom(6') ^ ' <<a>>-u — ^ ' i rbnd. Since l~ aton] vg>) S" : Tbnd— > r', this operational 

equivalence gives 

(b',S',TT- «a»v)i <=> (b',S',ir ■ «a'»v')l . 

Combining this with (|5.13p and ()5.14p yields 

(6 © • ■ ■ © 6 n -i © a, S, v{a"/a})i 4^ (b © • • • © 6 n _i © a, S, v'{a"/a})[ . (5.15) 

Since bo,. . . ,b n -i £ w' = atom(a) D atom(5, a", v , v 1 ) and O only contains affine observa- 
tions, we can now apply Lemma I5U1 to (|5. 15|) to get (|5.9p . as required. □ 

Example 5.11. We conjecture that Pr op osition 1 5 . 1 01 fails to hold if we drop the requirement 
that observations are affine (but still require them to be equivariant). For example consider 
the equivariant but non-affine observation ord in Figure [7] and the values 

v = fun(/ x = f x) 

v = fun(/x = match ord a with (Zero — > () | Succy — > v ())) 
where a is some atom. We claim that 

h{ a } «a»v = «a»v' : (unit — > unit)bnd (5.16) 

but that for any a' 7^ a 

\~{a,a'} v{a! /a} ^ v {a /a} : unit — > unit . (5-17) 

The operational inequivalence (|5.17p is witnessed by the state a = [a', a] and the frame 
stack 5 = Id o (x.xunit), for which one has (a, S, v'{a'/a})[, but not (a, S, v{a'/a})[ . At 
the moment we lack a formal proof of the operational equivalence ()5.16p . but the intuitive 
justification for it is as follows. For any state a containing a and any frame stack S, we 
claim that in any sequence of transitions from (a, S, «a»v') the occurrence of ord a in v' can 
only be renamed to ord a' for atoms a' at positions strictly greater than in the current 
state; and hence (a,S, «a»v') has the same termination properties as (a, S, «a»v). 

Proof of Theorem 15.31 One proves that \- w v = a v' : a implies h w v = v' : a by induction 
on the the rules defining a-equivalence in Figure using Propositions 15.61 and 15.71 

To prove the converse implication, first note that if h v : a, then v contains no 
instances of observations obs € O. The proof of this is by induction on the structure 
of the nominal arity a\ the only way observations on atoms can appear in values of the 
language is via function values, fun(/x = e), and the definition of "nominal arity" excludes 
function types. It follows from the definition of operational equivalence in Definition 14.11 
that if \- w v = v' : a holds for a language with observation set O, it also holds for the 
sub-language with minimal observation set {eq}. Thus it suffices to prove the implication 
\- w v = v' : a =>■ h w v = a v' : a for this minimal sub-language; and this can be done by 
induction on the structure of a using Propositions 15.61 and 15.101 (the latter applies because 
eq is affine). □ 
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6. Related and Further Work 

6.1. Correctness of Representation. It is instructive to compare the Correctness of 
Representation property of FreshML (Theorem l5.3p with adequacy results for type-theoretic 
logical frameworks [PfeOl] . Both are concerned with the representation of expressions of 
some object-language in a meta-language. For logical frameworks the main issue is surjec- 
tivity: one wants every expression at the meta-level to be convertible to a normal form and 
for every normal form at certain types to be the representation of some object-level expres- 
sion. The fact that a-equivalence of object-level expressions is preserved and reflected by 
the representation is a simple matter, because equivalence in the logical framework is taken 
to be a/3?7-conversion, which specialises on normal forms to just a-equivalence. Contrast 
this with the situation for FreshML where surjectivity of the representation is straightfor- 
ward, because values of the relevant FreshML data types are just first order abstract syntax 
trees; whereas the fact that a-equivalence of object-level expressions is preserved and re- 
flected by the representation in FreshML is a non-trivial property. This is because we take 
equivalence of FreshML expressions to be contextual equivalence. This is the natural notion 
of equivalence from a programming point of view, but its properties are hard won. 

One aspect of adequacy results for logical frameworks highlighted in [PfeOlj is com- 
positionality of representations. Although important, this issue is somewhat orthogonal 
to our concerns here. It refers to the question of whether substitution of expressions for 
variables at the object-level is represented by /3-conversion at the meta-level. From the 
point of view of nominal signatures [Pit06], variables are just one kind of name. Properties 
of a-conversion of all kinds of names are treated by the theory; but if one wants notions 
of substitution and /3-conversion for a particular kind of name, one has to give a defini- 
tion (an "a-structural" recursive definition [ Pit 06] ) . For example in FreshML, using the 
data type (jl.ip for A-terms one can give an appealingly simple declaration for a function 
subst : term — > atm — > term — > term for capture-avoiding substitution; see |SPG03t p. 264] . 
Compositionality of the representation t i— ► r t~ 1 given in the introduction then becomes 
the contextual equivalence \~ w r t\[t2/dp = subst r t2~ l a r ii n : term. The CIU theorem 
(Theorem 14. 4p provides the basis for proving such contextual equivalences. (We believe 
this particular equivalence is valid when O = {eq, It}, but not when O = {eq, card}; see 
Section 0) 

6.2. Concrete Semantics. We have explored some of the consequences of adding integer- 
valued "observations on atoms" to FreshML over and above the usual test for equality. Such 
functions allow more efficient data structures to be used for algorithms involving atoms as 
keys. For example, binary search trees making use of the comparison function It from 
Figure [7] could be used instead of association lists. 

What about adding functions from numbers to atoms? An implementation of the 
language may well represent atoms by numbers, via some fixed enumeration of the set of 
atoms, a : N = A. Can we give the programmer access to this bijection? Less radically, 
can we allow operations on atoms that make use of arithmetic properties of the underlying 
representation? Not without breaking the invariant atom(5, e) C atom(a) of configurations 
{a, S, e) — the property of our operational semantics that ensures that an atom's freshness 
with respect to the current state really does mean that it is different from all other atoms 
in the current context. For example, suppose we add to the language an operation sue : 
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atm— >atm whose meaning is "successor function on atoms" , with transitions (a, S, sue a) — ► 
(a,S,a ! ) whenever a = a(n) and a' = a(n + 1) for some n E N. Then it may well be the 
case that a' £ atom(a) even though a € atom(a). 

So exposing the numerical representation of atoms involves giving up the invariant prop- 
erties of the abstract semantics we have used here. Perhaps a more interesting alternative to 
actually exposing numerical representations of atoms would be to prove contextual equiva- 
lence of efficient and naive implementations of the abstract semantics extended with types 
of finite maps on atoms. Such abstract types form an addition to the signature in Figure Q] 
different from the kind we have considered here, but certainly one worthy of investigation. 

6.3. Mechanising Meta-Theory. The techniques we used here to prove the Correctness 
of Representation property are operationally based, in contrast to the denotational tech- 
niques used in [Shi05a, SP05bj. The advantage of working directly with the syntax and 
operational semantics of the language is that there are lower mathematical "overheads"— 
various kinds of induction being the main techniques involved. The disadvantage is that 
to deploy such inductive techniques often involves great ingenuity choosing inductive hy- 
potheses and much error prone tedium checking induction steps. Furthermore, with these 
methods it seems harder to predict the effect that a slight change in language or formalisa- 
tion may have on a proof. Although ingenuity in choosing inductive hypotheses may always 
be the preserve of humans, machine assistance of the kind envisaged by the "POPLmark 
challenge" |ABF + 05| seems a very good idea for the other aspects of the operationally 
based approach. The main results presented here are still a challenging target for fully 
formalised and machine checked proofs. We have taken some care with the formalisation 
(using a "relational" approach to contextual equivalence, for example); but results con- 
cerning coinductive equivalences, like the CIU theorem (Theorem 14. 4p . are quite complex 
logically speaking, compared with the kind of type safety results (like Theorem I2.4p that 
POPLMark has focused on so far. Systems like Isabelle/HOL [NPW02J that develop proofs 
in full classical higher order logic seem appropriate to the task, in principle. But there is a 
gap between what is possible in principle for an expert of any particular system and what 
is currently practicable for a casual user. Urban and Berghofer l.'lUKi are developing a 
Nominal Data Type Package for Isabelle/HOL that may be very useful for narrowing this 
gap. The fact that FreshML and the Urban-Berghofer package both have to do with the 
same mathematical universe of "nominal sets" [Pit06| is perhaps slightly confusing: their 
Nominal Data Type Package is useful for fully formalising proofs about names and name- 
binding in operational semantics whether or not those proofs have to do with the particular 
mechanism of generative unbinding that is the focus of this paper. 

7. Conclusion 

The FreshML [SPG031 IShi05b] approach to functional programming with binders com- 
bines abstract types for names and name binding with an unbinding operation that involves 
generation of fresh names. In this paper we have studied some theoretical properties of this 
design to do with data correctness. We showed that the addition of integer valued ob- 
servations on names does not break FreshML's fundamental Correctness of Representation 
property that a-equivalence classes of abstract syntax trees (for any nominal signature) 
coincide with contextual equivalence classes of user declared data values. In particular, it 
is possible to give programmers access to a linear order on names without breaking the "up 
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to a-equivalence" representation of syntax. The simple insight behind this possibly sur- 
prising result has to do with the fact that FreshML is impure — program execution mutates 
the state of dynamically created names. If the state is taken into account when giving the 
meaning of observations on names, then the permutation invariance properties that underly 
the correctness property can be retained. The original version of FreshML [P( 100 was pure 
by dint of the "freshness inference" included in its type system. Subsequent experience 
with the language showed that the form of freshness inference that was used there was 
overly restrictive from a programming point of view. So freshness inference was dropped in 
[SPG03J. However, Pottier |Pot07j has recently regained purity in a FreshML-like language 
through the use of user-provided assertions. We have not investigated whether results like 
those presented in this paper also apply to Pottier's language. 

This paper has been concerned with data correctness, but what about general results 
on program correctness? The only restriction we placed on observations on atoms is that, 
as functions of both the state and the names they operate upon, they should be invariant 
under permuting names. We have seen that the Correctness of Representation property 
(Theorem I5.3[) remains valid in the presence of any such observation. However, we are 
certainly not advocating that arbitrary equivariant observations be added to FreshML. 
This is because some forms of observation may radically affect the general programming 
laws that contextual equivalence satisfies. We saw one example of this here: only for 
"affine" observations (which are insensitive to how many names have been created before 
the arguments to which they are applied) were we able to combine Propositions 15 . 7l and 15 . 101 
to get an "extensionality" result explaining contextual equivalence at type rbnd in terms 
of contextual equivalence at r, for arbitrary higher types r. 

More investigation of program correctness properties in the presence of particular ob- 
servations on atoms is needed before one can advocate adding them to the FreshML design. 
The techniques we used in this paper could form the basis for such an investigation. They 
combine the usual engine of structural operational semantics — namely syntax-directed, rule 
based induction — with the approach to freshness of names based on name permutations 
that was introduced in |GP01| and developed in [Pit03t lUNOKl IPitOBj . 
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Appendix A. Proof of Theorem 14.41 

We wish to show that the expression relation =° of Definition 14.31 is compatible and 
substitutive (see Definition 14.2ft . We use an adaptation of "Howe's method" [How96] to do 
so. Let the expression relation =* be inductively defined from =° by the rule 

rUe^e'ir r \- w e ^° e" : r 

rh ffl e^e":r ' ^ ' ' 

In making this inductive definition, we are implicitly relying upon the easily proved fact 
that compatible refinement, £ ^ £, is a monotone operation on expression relations, that 
is, £\ ^ £2 =>■ £\ Q £2- 

Lemma A.l. 

(i) r \~ w e =* e' : t A T h w e' ^° e" : r T h w e ^* e" : r. 

(ii) =* is compatible and substitutive. 

(iii) atom(e) C w A Their T \- w e=* e : t. 

(iv) atom(,S) C W A F h S : t ^ t' F h w S ^* S : t ^ t' . 

(v) rh m i;^ e':r 3v'. T \- w v =* v' : t A T \- w v' =° e' : r. 

Proof. These properties of =* are simple consequences of its definition and the definition 
of the extension of compatible refinement to a relation between frame stacks given by the 
last two rules in Figure □ 

Lemma A. 2. 

(i) =* is equivariant. 

(ii) r \~ w e —* e! : t A w C w' T \- w * e =* e' : r. 

(iii) r \- w S ^* S' : t -» t' A w C w' => T \- w , S ^* S' : r -» r' . 

Proof. Part (i) follows from the fact that =° is equivariant, which in turn is a consequence 
of Lemma l3.2i Parts (ii) and (iii) are consequences of the fact that world weakening is built 
into the definition of operational equivalence in Definition I4.1I □ 

Lemma A. 3. T \- w e =° e' : t => F h w e =* e' : r. 

Proof. If r \- w e =° e' : r, then in particular atom(e) C w and T h e : r, so that by 
Lemma lA.l( iii) we have r \- w e =* e : r; so from part (i) of that lemma we get T \- w e =* 
e':T. □ 
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We wish to show that — * coincides with =°. In view of the previous lemma, it just 
remains to show that =* C =°. Lemma I A. 5 1 provides the key to this. Before stating that 
lemma we give some simple properties of = that are needed to prove it. 

Lemma A. 4. 

(i) \- w a = a' : atm =4* a = a' . 

(ii) \- w v = v' : rbnd => \- w unbind v = unbind v' : atm * r. 

(iii) If \- w v = v' : n — > T2, then for any world w' 5 w and value v% with atom(ui) C w' 
and h v% : T\, it is the case that \- w i vv\ = v' v% : ti- 

Proof. For part (i) we make use of the fact that O always contains the atom equality function 
eq from Figure [71 Consider the frame stack 

S a = Id o (x. let y = eq x a in 

match y with (Zero — * () | Succ z — > diverge)) . 

If a a' are distinct elements of w, then choosing some a € State with atom(a) = w, it is not 
hard to see that (a,S a ,a)i holds whereas (a,S a ,a')[ does not hold. So if \~ w a = a' : atm 
it cannot be the case that a ^ a 1 . 

For part (ii), given any a, S and t' with w U atom(S') C atom(a) and h S : r — > r', 
then 

(a, S, unbind v) J, 4$ {a, S o (x. unbind x), v)l by definition of J, 

(a, S o {x. unbind x), v')[ since \~ w v — v : t bnd 

(a, S, unbind v') J, by definition of J, 

and thus unbind v = unbind u ; : atm * r. 

The proof of part (iii) is similar to that for (ii), using the frame (x.xvi) in place of 
(x. unbind x). □ 

Lemma A. 5. For all n > and all w, S, S' , r, r', e, e', a 

8USi*5':T^r' A h w e ^* e' : r A atom(a) = w A (a, S, e)[ n 

=> (3,S',e')i . (A.2) 

Proof. The lemma is proved by induction on n. The base case n = follows from the 
definition of — (which implies that \- w Id =* S' : r — > r' can only hold when S" = Id), 
combined with Lemma IA.l( v) and the definition of =°. For the induction step, assume 
(TOl) holds and that 

\~ w S ^* S 1 \ t — > t' (A.3) 

«Ue^e':T (A.4) 

atom(a) = u; (A. 5) 

(a, 5, e) — > (ai,5i,ei) (A. 6) 

(ai,5!, ei )r (A.7) 

We have to prove (a, S 1 , e')[ and do so by an analysis of (|A.6j) against the possible cases 
[TH9] in the definition of the transition relation in Figure 
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Case [TJ. In this case S = Si o (x. e 2 ), e = v € Val, a\ = a, and ei = e2[v/x], for some e 2 
and v. For (|A.3|) to hold, by definition of =* it must be the case that S' = S[ o (x. e 2 ) for 
some S[ and e 2 with 

{x : r} h„ e 2 <** e' 2 : r 2 (A.8) 
\- w S l S[:t 2 ^ t' (A.9) 
for some type r 2 . Since e = u is a value, applying Lemma [A. If v) to (|A.4j) we get 

ih^!)^u':r (A.10) 
h w t/ ^ e' : r (A.ll) 
for some v' G Val. Since =* is substitutive (Lemma lA.lf ii)). from (|A.8|) and (|A.10|) we get 

\~w e 2 [v/x] =* e' 2 [v'/x] : r 2 . (A.12) 

Applying the induction hypothesis (|AT2|) to ([AUj) . (fA~12j) . (|AT5j) and to (|AT7|) . we get 

(a, 5[, e 2 [t//x])J.; hence (a,S[ o (x.e 2 ),w')|, that is, (a, <S", ?/) j; and therefore by (|A.11|) 
we also have (a, S",e')j, as required. 

Case [2], In this case we have e = let x = e\ in e 2 , a\ = a and S\ = S o (x. e 2 ) for some e 2 . 
Since (|A.4p holds, by definition of =*, there must exist some e^, e 2 and ri with 

h w ei =* ei : n (A. 13) 

{x : n} h w e 2 =** e' 2 : r (A. 14) 

h w (let x = e[ in e' 2 ) = e! : r (A. 15) 

and then from (|A.3|) and (|A.14p we get 

h w S o (x. e 2 ) S' o (x. e' 2 ) : n r' . (A.16) 

The induction hypothesis (|AT2|) applied to (fATl6|) . (|A"T3j) and (fOj) gives (a, S'o(x. e 2 ), ei)| 
and hence {a, S', let x = in e' 2 }|. This and (lATl5]l then give (a, S',e')i, as required. 

Case [3], This follows from the definition of =* using its substitutivity property, much as 
for case [TJ 

Case U In this case r = n * t 2 , e = (i>i , u 2 ), a\ = a and ei = t>i, for some ri,r 2 G Typ 
and v\,V2 € Val. By definition of =*, for (|A.4j) to hold it must be the case that 

0U^=*^-:ri (fori = 1,2) (A.17) 
^ W.^^e'in*^ (A. 18) 

for some v[ and u 2 . By the induction hypothesis (|A.2j) applied to ()A.3|) . (|A.17|) . (|A.5|) 
and (TO) , we get (a, S",ui)| and hence also (a, S", fst(^ , f 2 ))|- Hence by (|A.18P we have 
(a,S',e')l, as required. 



Case O This is similar to the previous case. 
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Case [6l In this case e = vi V2, a\ = a, Si = S and e\ = e 2 [vi, v 2 //, x] for some v% = 
fun(/ x = e-i) and v 2 . Since ()A.4p holds, by definition of =* together with Lemma lA.4f iii). 



there must exist some e 2 , v' 2 and t\ with 

{/ : n -» r, x : n} h w e 2 ^* e' 2 : r (A.19) 

h w v 2 ^* w 2 : n (A.20) 

h w fun(/ x = e' 2 ) u 2 e' : n -> r . (A.21) 



Since =* is compatible (Lemma lA.l( ii)). from (1A.19|1 we get \- w v\ =* fun(/ x = e 2 ) : 
n — > r; and since =* is also substitutive, this together with ()A. 19|) and (|A.20p gives \- w 
62 bi , ^2//, — * e' 2 [fun(/ x = e 2 ),v' 2 /f, x] : r. Therefore by the induction hypothesis (|A.2|) 
applied to (1A.3|) . this, (|A.5j) and (|A.7jl . we get (a, 5', e' 2 [fun(/ x = e' 2 ), v' 2 /f, x])[. Hence 
(a, 5', fun(/ x = e 2 ) v' 2 )[ and thus by (|A.21[) . (a, 5', e')[ as required. 

Case In this case r = atm, e = fresh(), a\ = a © a, S\ = S and ei = a, for some 
a ^ atom(a) = w. Since (|A.4p holds, by definition of =* we have 

h m fresh() e' : atm . (A. 22) 

By Lemma IA.2f iii) applied to (jA.3[) . we have \~ W {j{ a } S =* S' : atm — > r'; and by 
Lemma lA.lf iii) we also have h^y^j a =* a : atm. So by the induction hypothesis 
(|A.2p applied to these, atom(a ©a) = u> U {a} and (|A.7p . we get {a © a, 5', a) J.. Hence 
(a, S', fresh)| and hence from (|A.22p we also have {a,S',e')[, as required. 

Case [8l In this case r = atm * t\, e = unbind «a»v, a\ = a © a%, S± = S, and e\ = 
(ai , v{ai/a}), for some ri, a, v and ai with ai ^ atom(a) = w. Since (|A.4p holds, by 
definition of =* together with parts (i) and (ii) of Lemma IA.4|, there must exist some v' 
with 

u =** «' : n (A.23) 

\- w unbind «a»v' = e' : atm * t\ . (A. 24) 

We now appeal to the easily verified fact that since a\ £ w ~D atom(-u, t>'), the renamed 
values v{ai/a} and v'{a\/a} are respectively equal to the permuted values (a a\) ■ v and 
(a a\) ■ v' (where (a a±) denotes the permutation swapping a and a'). Therefore by parts (i) 
and (ii) of Lemma IA.2I applied to (|A,23j) and by parts (ii) and (iii) of Lemma IA.lt we have 

Kuu{ai} (ai , v{ai/a}) =* (01 , v'{ai/a}) : atm * t\ . (A. 25) 

By applying Lemma lA.2( iii) to (|A.3p we also have 

^u{ ai } S S' : atm *t 1 ^t i . 

Then applying the induction hypothesis (1A.2D to this, (IA.25j) . atom (a © a\) = w U {a\} 
and (IA.7P yields (a © a%, S', (a% , v'{ai/a}))[. Therefore (a, 5", unbind «a»v') j; and hence 
by (|A.24p . we also have (a, S",e')J., as required. 
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Case [9l In this case r = nat, e = obs a\ . . . a& for some ai, . . . , a^ G u>, ai = a, Si = S, 
and ei = r m n where m = [obs]]g(ai, . . . , a^). Since (|A.4p holds, by definition of =* together 
with Lemma lA.4l fi) . we must have 

\- w obs a\ . . . a*. = e' : nat . (A. 26) 

Note that by Lemma lA.lf iii) we also have \- w r m n =* r m~ l : nat. So by the induction 
hypothesis (|A.2j) applied to this, ()A.3p . ()A.5P and ()A.7p we get (a, S', r m n }|. Since m = 
[obs]j(ai, . . . , a*,), this implies that (a, S', obsai . . . and hence from (|A.26P we have 

that {a,S',e')l holds, as required. 

This completes the proof of Lemma IA.5I □ 

Lemma A. 6. Let (=*) + denote the transitive closure of =* . Then 

r h w e ^* e' : r ^ V h w e' (^*)+ e : r . 

Proof. This can be proved by induction on the derivation of T \- w e =* e' : r from the 
rule in (|A.lj) and the rules for compatible refinement in Figure [SJ using the fact that =° is 
symmetric and using Lemmas IA.3I and lA.l( iii) . □ 

We can now complete the proof of Theorem 14.41 by showing that =° is compatible and 
substitutive (Definition 14. 2p . Since =* has those properties by Lemma lA.ll fii). it suffices 
to show that =° coincides with =* . We already noted in Lemma IA.3I that =° is contained 
in =*. For the reverse inclusion, since =* is substitutive and reflexive (Lemma lA.ip . it is 
closed under substituting values for variables; so by Definition 14.31 it suffices to show that 

\~ w 6 — * e' : t \~ w 6 — e' : t . (A.27) 

To see this, note that by Lemma IA.5I (together with Lemmas lA.l( iv) and IA.2t u)) we have: 

f)h„e=* e':r Va, S, r' . w U atom(5) C atom(a) A flh5:r^r' A {a,S,e}[ 

(a,S,e')i . (A.28) 

Since the right-hand side of the implication in (lA.28j) is a transitive relation between ex- 
pressions e,e', we also have 

Hh^e^ e':r Va, S, t' . w U atom(S) C atom(a) A h S : r -> r' A (a, S, e)i 

and therefore Lemma IA.6I gives 

{} \- w e =* e' : r => Va, S, t' . {w U atom(5) C atom(a) A 0h5:r^r' A {a,S, e')[ 

(a,S,e)i . (A.29) 

Combining (TAT28]) and (1A391) gives (TQ7|) . □ 
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Appendix B. Proof of Proposition 15.71 

Let £ be the closure under compatible refinement (Figure [8]) of the pairs of closed atom 
binding values that we wish to show are operationally equivalent. In other words £ is the 
expression relation inductively defined by the following two rules. 

a" £ w C atom(a, v, a', v') ^~ w u{a"} v{a" /a} = v'{a" /a'} : r T \- w e £ e' : t 
\~ w «a»v £ «a'»v' : rbnd T \- w e £ e' : t 

Lemma B.l. 

(i) £ is compatible and substitutive. 

(ii) atom(e) C w A Their => T \- w e £ e : t. 

(in) atom(S) C w A rhSir^r' => T h w S £ S : r -> r' . 
(iv) r \- w v £ e' : r => e' G Val. 

Proof. These properties of £ are simple consequences of its definition in (jB.ip . the definition 
of compatible refinement in Figure [8j and the definition of its extension to a relation between 
frame stacks given by the last two rules in that figure. □ 

Lemma B.2. 

(i) £ is equivariant. 

(ii) T \- w e £ e' : t A w C w' T \- w > e £ e' : r. 

(iii) T h w S £ S' : r -> r' A to C ^ T h tt # S £ S' : r -» r'. 

Proof. This is the analogue of Lemma IA.2I for 5, and is proved in the same way as that 
lemma. □ 

Lemma B.3. For all n > and all w, S, S',r, r', e, e', a 

h w S £ S' : t -» r' A h w e £ e' : r A atom(a) = w A (a, 5, e)J,„ ^ (a, 5', e')| . (B.2) 

Proof. The lemma is proved by induction on n. The base case n = follows directly from 
Lemma IB. If iii) and the definition of £ (which implies that {} \- w Id £ S' : r — > r' can only 
hold when 5' = Id). For the induction step, assume (jB.2[) holds and that 

\- w S £ S' : t -» r' (B.3) 

Oh„efe':r (B.4) 

atom(a) = w (B.5) 

{a,S,e) — > (ai,5i,ei) (B.6) 

(ai,5!, ei )r (B.7) 

We have to prove (a, S", e')J. and do so by an analysis of (IB.6I) against the possible cases 
[THSl in the definition of the transition relation in Figure Cases [U [3] and [6] follow from 
the definition of £ and its substitutivity property; we give the details for the first one and 
omit the other two. Cases HI [5] and [9] also follow easily from the definition of £ (using 
Lemma fB.lt n) in the third case). So we give the proofs just for cases [Q [2j [7] and [HJ 
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Case [TJ. In this case S = Si o (x. e 2 ), e = v € Val, a\ = a, and ei = e2[v/x], for some e 2 
and For ([B.3P to hold, by definition of £ it must be the case that S' = S[ o (x. e 2 ) for 
some S[ and e 2 with 

{x : t} e 2 £ e 2 : t 2 (B.8) 

h w 5i £ ^ : r 2 -> r' (B.9) 

for some type r 2 . Since e = -u is a value, applying Lemma fB. ll fiv) to (|B.4[) we get e' = v' 
for some v' £ Val. So since £ is substitutive (Lemma IB.lf i)). from (|B.4p and ()B.8p we get 

h w e 2 [v/x) £ e' 2 [v'/x] : r 2 . (B.10) 

Applying the induction hypothesis ([R2]) to (|BT9|) . (jBTlOjt . (153]) and to (|BT7|) . we get 

(a, 5(, e 2 [w'/ :r ])J-j hence (a, 5[ o (x.e 2 ), t>') J., that is, (a, S", e')J., as required. 

Case [2]. In this case e = let x = e\ in e 2 , d*i = a and Si = So (x. e 2 ) for some e 2 . For (|B.4|) 
to hold, by definition of £ it must be the case that e' = let x = e'i in e 2 for some e^, e' 2 and 
ri with 

{} h w ei £ ei : n (B.ll) 
{x : n} h w e 2 £ e' 2 :r . (B.12) 

From (|B.3p and ()B. 12[) we get \- w S o (x. e 2 ) £ S" o (x. e' 2 ) : r — ► r'; and the induction 
hypothesis ([BT2~|) applied to this, (IBTTTj) . (IB31) and (1ET71) gives (a, 5' o (x . e 2 ) , e[) I . Hence 
(a, 5', let x = e[ in e 2 ) J., that is, (a, 5', e')|, as required. 

Case [7J In this case r = atm, e = fresh(), a*i = a © a, Si = S and ei = a, for some 
atom a ^ w. For (jB.4[) to hold, by definition of £ it must be the case that e' = freshQ. 
Now Lemma IB,2f iii) applied to (|B.3p gives \~ w ij{a} S £ S' : r — > r'; and Lemma IB.lf ii) 
gives h w u{a} a £ a : atm. Applying the induction hypothesis (jB.2[) to these two facts, 
atom(a © a) = w U {a} and ()B.7p gives (a©a,S',a)j. Hence (a, 5", fresh()}|, that is, 
(a, S",e')j, as required. 



Case O In this case r = atm * n, e = unbind «a»t>, a*i = a © 01, Si = S, and e\ = 
(ai , v{ai/a}), for some ri, 0, v and ai with ai ^ u). For ()B.4p to hold, by definition of £ it 
must be the case that e' = unbind «a'»v' with 

either (a): a = a' A h w v £ v' : T\ , > 

or (b): 3a" £ w. h wU{a „ } v{a"/a} ^ ^{a'Va} : n ^ A6) 

If (|B.13p (a) holds, then as in the proof of Lemma IA.5I we now appeal to the easily 
verified fact that since a\ ^ w 3 atom(f, v'), the renamed values v{a±/a} and t/{ai/a} are 
respectively equal to the permuted values {a a\) ■ v and {a a\) ■ v' (where (a a{) denotes 
the permutation swapping a and a'). Therefore from the fact that \~ w v £ v' : t\ holds, 
from parts (i) and (ii) of Lemma fB. 2 1 we get \~ w u{ ai } v{a\/a} £ v'{ai/a} : t\. Then since 
a = a', by Lemma IB.lf ii) we have \~ w ij{ ai } («i ; v{ai/a}) £ (ai , v'{ai/a'}) : atm * t\. 
Applying the induction hypothesis ()B.2p to this, ()B.3p (weakened using Lemma IB . 2l (iii) ) . 
atom(a © a\) = w U {a\} and (|B.7|) yields (a © a%,S', (ai , v'{ai/a}))[ with a\ ^ atom(a). 
Therefore by definition of j, we also have (a, 5', unbind «a')>v')[. 
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If (|B,13P (b) holds, then by Theorem 14.41 so does 

H wU {a»} (a" , v{a"/a}) (a" , v'{a"/a}) : atm * n (B.14) 

Lemma E2] applied to (|B.7h with ir = (ai a") gives (a© a", 5, (a" , u{a"/a}))J, n . Combining 
this with (IB.3j) (weakened using Lemma rB.2( iii)). ^~ w u{a"} ( a " i v W 7 a }) £ ( a " i v { a " 7 a }) '■ 
atm * T\ (by Lemma iB.lf ii)). atom(a © a") = w U {a"} and the induction hypothesis (IB.2j) . 
we get (a © a",S', (a" , u{a"/a}))!. Then by definition of =, from this and (|B.14|) we get 
(a © a",S', (a" , v'{a"/a}))l with a" a. Therefore as before, by definition of j, we also 
have (a, 5' , unbind « a'»v')[. 

So in either case in (|B.13p . since e' = unbind «a'»v', we get (a,S',e')l, as required. 

This completes the proof of Lemma IB.3I □ 

We can now complete the proof of Proposition 15.71 For any type r £ Typ, suppose we 
are given closed, well-typed atom binding values h «a»v : rbnd and h «a'»v' : rbnd 
with atom (a, v, a', v') C w and satisfying 

^«,u{a»} ^{a"/a} ^{a'Va'} : r (B.15) 

for some atom a" ^ u;. By definition of f this implies 

«a»u 8 «a'»v' : Tbnd . (B.16) 

For any w', a, S, and t' with atom (a) = w' 3 m u atom(S') and h S : r — > t', we have 

h w / S£ S : t^t' (B.17) 

by Lemma iB.l( iii) and 

\- w i «a»v £ «a'»v' : rbnd (B.18) 
by Lemma fB.2( ii) applied to ()B.16p . So Lemma [B . 3 1 applied to (|B.17h . (|B.18h and atom(a) = 
w', we have 

(a, S, «a»v)l =>■ {a,S,«a»v')l . 
Since = is symmetric, the same argument shows that (|B.15p implies 

(a, S, «a'»v')i =>■ (a,S,«a»v)l . 
Thus ()B.15p implies that «a»v and «a'»v' are operationally equivalent, as required. □ 
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